Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
QID:NA282
#1
A host with the address of 192.168.125.34/27 needs to be denied access to all hosts outside its own subnet. To accomplish this, complete the command in brackets, [access-list 100 deny protocol address mackany], by draggin the appropriate options on the left to their correct placeholders on the right

Now what How2Pass states is correct is the following:
Protocol      IP
address      192.168.125.34  ---- here is where I have a problem  I placed 192.168.125.32
mask          0.0.0.0

Now the question clearly states "needs to be denied access to all hosts outside its own subnet" -- the subnet for this host is 192.168.125.32 through 192.168.125.48.

This lead me to the conclusion that address of the access-list had to be its entire network. How am I misinterpreting this question?

(By the way I have run across a couple of these and decided what the heck let me grab the competitions stuff and give it a whirl, dare I say, pass4sure. Believe me, the grammar is awful. You practically need an interpreter to follow their questions... I think it is awful... but, if I fail the exam I get my money back... personally, I would say for those that have posted about them on this site, to the rest save your money) which I don't want to fail the exam, so... I will be posting questions in this last two weeks before I take the 802 exam) :o
Reply
#2
Hey,

The question is confusing as I came with the same conclusion of 32 first but again it's 32 - 2 = 30, and 32 is subnet & 47 is broadcast. Again the question is why the subnet mask is 0.0.0.0
Reply
#3
First thing to to do is to define the subnet (which you have correct as 192.168.125.32), then as there are 27 bits used for sub-netting, this gives the mask the value of 255.255.255.224. This again you correctly state as having a subnet every 32. However, the host range will now be 33 - 62 as 63 is the broadcast - not 47 as stated by wtf007.

You don't seem to give all the information for the question, but from what you've provided then the following would appear to be true.

To deny the host (192.168.125.34) access to all hosts outside its network using an extended access list, then the following information is required:

access-list <number> permit/deny <protocol> <source> <destination> <mask>

e.g. access-list 100 permit ip host 192.168.125.32 192.168.125.0 0.0.0.255

As any access list includes an explicit deny statement that is there by default, then all other connections would be blocked. To answer the question from wtf007 about the subnet mask 0.0.0.0 - this is the wildcard mask for a host address, this means that all 4 octets must match exactly for the statement to be true.
Reply
#4
I was confused on this question as well. But when I read it more carefully I realized it's asking to block a host address, not a subnet, from access outside it's own subnet.

ip                                  = we're using TCP/IP addressing so this will stop it from accessing other hosts through ip
192.168.125.34 0.0.0.0  = use this as the source address since we're looking to block only a single host

the use of "any" as the destination is confusing, since it's use should deny access even to it's own subnet. But if you think of it like this it may help. I've realized with a lot of these questions a complete network diagram would really help you understand what's going on.

192.168.125.34 -------- switch --------router
                                    |
                                    |
                          192.168.125.35

Since ACL's are applied on routers only, the traffic from 192.168.125.34 to another host in the same subnet attached to the same switch won't get blocked by the ACL since the packets will never get to the ACL on the router.

The good part about this question, you don't need to worry about the destination "any" because they've provided it for you in the question.
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)